[Ans.]openssh3.5p1 version ... Password aging problem???

Darren Tucker dtucker at zip.com.au
Tue May 13 19:52:25 EST 2003


Peter Stuge wrote:
> What is the status on interfacing with the system passwd command for
> changing passwords? It's only for non-PAM situations, but is it still
> relevant there? I have tried one way of setting up the "chat scripts" but
> that failed, I've implemented the skeleton for a second try but have been
> too busy with other things to finish it for wider testing.

The chat-script method is only applicable to SSH2 (with
MSG_USERAUTH_PASSWD_CHANGEREQ), if you want to support changes with
protocol 1 you still need passwd-in-session[1].  I think the argument is
that since it's needed anyway, using it for protocol 2 as well is the
smallest set of changes.

> My binary implementing this is currently 6384 bytes when strip:ed.

How many lines of code is that?  Don't forget the reason you're doing this
is so you don't need ~160 lines of platform-specific change functions
(that's for AIX and shadow platforms) which is 4416 bytes stripped on
Linux/i386.

I suspect that any wins from using /bin/passwd everywhere will be more
than offset by handling platform specific weirdness.

[1] Someone (Frank?) proposed doing this via TIS challenge-response on
Protocol 1.  By my reading of the RFC you only get one challenge and one
response so in order for that to work you'd need the user to respond with
something like "oldpassword,newpassword".  Of course, I could be wrong.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.




More information about the openssh-unix-dev mailing list